Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6333)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

Issue 143183007: Update policy signature verification to include policy domain. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fixed style error. Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/chromeos/policy/device_local_account_policy_store.cc ('k') | chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc » ('j') | chrome/browser/chromeos/settings/session_manager_operation.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
diff --git a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
index 3c25bac230efe9a6ec9d37bfe6db4f1c6d187c16..334f49f122689a8c0a4f6e710d8352d1700c6fb9 100644
--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
@@ -109,13 +109,24 @@ void EnrollmentHandlerChromeOS::OnPolicyFetched(CloudPolicyClient* client) {
validator->ValidateTimestamp(base::Time(), base::Time::NowFromSystemTime(),
CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
- if (install_attributes_->IsEnterpriseDevice())
- validator->ValidateDomain(install_attributes_->GetDomain());
+
+ // If this is re-enrollment, make sure that the new policy matches the
+ // previously-enrolled domain.
+ std::string domain;
+ if (install_attributes_->IsEnterpriseDevice()) {
+ domain = install_attributes_->GetDomain();
+ validator->ValidateDomain(domain);
+ }
validator->ValidateDMToken(client->dm_token(),
CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
validator->ValidatePolicyType(dm_protocol::kChromeDevicePolicyType);
validator->ValidatePayload();
- validator->ValidateInitialKey(GetPolicyVerificationKey());
+ // If |domain| is empty here, the policy validation code will just use the
+ // domain from the username field in the policy itself to do key validation.
+ // TODO(mnissler): Plumb the enrolling user's username into this object so
+ // we can validate the username on the resulting policy, and use the domain
+ // from that username to validate the key below (http://crbug.com/343074).
+ validator->ValidateInitialKey(GetPolicyVerificationKey(), domain);
validator.release()->StartValidation(
base::Bind(&EnrollmentHandlerChromeOS::PolicyValidated,
weak_ptr_factory_.GetWeakPtr()));
« no previous file with comments | « chrome/browser/chromeos/policy/device_local_account_policy_store.cc ('k') | chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc » ('j') | chrome/browser/chromeos/settings/session_manager_operation.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698